The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself.

Archive for June, 2012

*** Dire Warning ***If you’re in the habit of reusing passwords AT ALL, 1) stop it! 2) if you have a LinkedIn account change your password immediately on as many sites as you can remember. Then get yourself a password management program (like 1Password or LastPass) with a random password creator and learn to use it for all sites.*** Dire Warning ***

Now that the dire warnings are out of the way, let’s look at what happened. This morning it was disclosed that 6.5 million LinkedIn password hashes were posted online. LinkedIn was not using a salted hash for storing passwords, which means that while the passwords can’t be decrypted in any way, attacking the password file by dictionary attacks and other similar methods are very effective. Additionally, the 6.5 million hashes are each unique, meaning that they represent a much larger portion of the LinkedIn passwords, possibly even the entire database. One of the best analysis of the password hashes and what they mean was done over at Hacker News and covers a lot of what the disclosed hashes mean in really geeky terms. Another great resource, thrown up by Robert Graham this morning, lets you take a password to see if your password is amongst those stolen. If you don’t find your password in the database, try replacing the first 5-6 characters with zeros and look again.

The other point I wanted to make was that while LinkedIn’s response (1, 2) to this compromise hasn’t been atrocious, it’s been far from being a good example of how to do compromise disclosure. If you want a good example, look at the recent post mortem writeup by CloudFlare, stating in great detail how they’d been compromised so others could learn from their problems. I’m willing to give the LinkedIn team and Vicente Silveira the benefit of the doubt and assume they learned about the password file at the same time as everyone else, but their initial reaction was to say they were looking into it, even though a number of security professionals had already stated their passwords were definitely in the file. When they did admit it was their database a few hours later, they stated they had ‘enhanced’ their security to include hashing and salting of the database. I can only assume the enhanced security measures were put in place this morning, and I’d give them more credit if they’d admitted that instead of making it seem like it was something they’d already planned to do. I do have to give them kudo’s for reacting quickly and giving users concrete steps to take in response to the compromise, but they lose at least as many points for not being up front about what’s really happening. Of course, that may be because of the Marketing and PR departments more than anything, but I’m not willing to cut either of those departments any slack for a security incident.

Of course, this is all injury added to the assault that was disclosed yesterday, the fact that the LinkedIn mobile application collects all of your calendar notes. And since they had your calendar data and there’s a possibility your account was compromised, if you’re using the LinkedIn iPhone app, you’d better assume all of your calendar data is also compromised. I hope you didn’t have any important or sensitive information in your calendar!

This is our last podcast before we take a month-long hiatus! Rich is currently on what he calls “vacation” (an alien concept to some of us), with Martin planning to do the same soon. Zach is prepping his liver^Wbrain for SummerCon this weekend in NYC.

I’ve always hated the way Facebook has endeavored to track every single action their users do. Which is funny, considering how much of my life I put on Twitter. But the main difference between the two social media platforms is about choice, at least for me. With Twitter, I decide what to put online 140 characters at a time. I might reveal a little more information if I’m not careful with GPS settings on my phone or camera, but for the most part it’s simply the statements that I choose to make that go online and are published for everyone to read. However, from the early days, Facebook has been far more intrusive and has done everything they can to track each and every digital step that it’s users take. With constantly shifting privacy policy, the way they change and reset privacy settings every few months and Timeline being a tracking monstrosity that became mandatory, Facebook is a privacy advocate’s worst nightmare. The list of ways that Facebook tracks and collates data on every user is both awe inspiring and terrifying in it’s magnitude and Timeline is a privacy violation of the first order, at least in my mind.

But, to put it quite simply, they’re the biggest kid in the social media playground. When your grandmother, who can barely answer an email, starts following you on Facebook, you know it’s gotten deep penetration in the marketplace. And since it’s so big, just by nature of it’s natural gravity, more users and more businesses are drawn to it. If you don’t have an account, people look at you like you’re a little strange and behind the times, whether it’s true or not. Quite frankly, in many people’s lives, it’s become a necessary tool for communicating with friends, family and/or customers, to the point that not having an account is nearly unthinkable.

Even I’ve had a Facebook account for years, as much as I’ve hated the idea. The main reason I created it was simply to grab my own name; I had already seen several people in the security community be impersonated by someone who grabbed their name before they did and have a page created for them. Usually with malicious aims. I didn’t want to have that happen to me, so grabbed my account. I used it a little at first, mostly by integrating my twitter stream into Facebook, but as the privacy concerns got bigger and bigger, I stopped using it all together. I kept the account and logged in every six months or so, immediately clearing my cookies and rebooting my system afterward to clean the stain it left behind. I know millions of people use Facebook daily without serious harm, but the thought of having my activities tracked to the degree that Facebook does it is not something I’m comfortable with.

But, as I stated earlier, if you’re not on Facebook, you’re handicapping yourself in interacting with friends, family and the people you do business with in a significant way. As much as I hate being tracked, I came to the conclusion that it’s time find a way to use Facebook while also maintaining control of what data is being pulled into my social media network(*). So I did what any social media security geek would do, I tweeted about the problem and waited for the replies to come in. And did they ever. I’ve collected some of the best links and software suggestions below.

When all was said and done, I decided the best way for me to use Facebook was to use the one major browser I hadn’t been using on my main system, Chrome. Rockmelt sounded cool, but I didn’t want to spend the time to research it and learn a different interface. Adding privacy filters or other extensions that allowed me to use Facebook privately in Firefox had some appeal, but relying on the extensions to keep up with Facebook’s changing policies and technologies didn’t inspire confidence in me over the long haul. I already had Chrome installed and wasn’t using it, so it was actually a pretty easy choice and because I’m only using it for Facebook a lot of the concerns around having my browsing practices tracked are almost completely assuaged. At least until Facebook learns to track across multiple browsers, that is.

Since I’m using Chrome as a dedicate Facebook browser, I decided to simply rely on the default install and change a number of the privacy settings, not something I would suggest if you use Chrome for other web browsing as well. If you click on the wrench in the upper right hand corner of Chrome and select ‘settings’, it will open a new tab for the settings page. At the bottom of the page is a link, “Show advanced settings…” which opens advance settings such as Privacy. The ‘Content Settings’ button under Privacy opens up a new window, where the meat of the controls I wanted are. I selected the following controls:

Cookies: Allow local data to be set for the current session only.

Cookies: Clear cookies and other site plug-in data when I close my browser

Javascript: Do not allow any site to run Javascript (You have to make exceptions for Facebook itself, https://[*.].facebook.com:443 and http://[*.].facebook.com)

Handlers: Do not allow any site to handle protocols

Plug-ins: Click to play

Notifications: Do not allow any site to show desktop notifications

There’s probably more I can do to protect myself from tracking, especially if I wanted to install some of the Chrome plug-ins specifically aimed at Facebook. I’ve been using Facebook again for about a week or so. I plan on using it more in the future for putting up some of the pictures I take during my world travels, to promote the podcast and to promote the work I do at Akamai. I’m not really happy at getting sucked back into Facebook, but it isn’t really as evil as I sometimes make it out to be. It is, however, a huge, faceless organization that is determined to make a profit off of me no matter what else happens.

BTW, I do my banking on a completely separate computer that I do almost no other browsing on. Or email or social media for that matter.

(*The new version of ‘privacy’ is controlling the information about you that flows onto the interwebz. The pre-2000 view of privacy is dead, and even the new version is on life support with the data mining capabilities of many of our modern tools.)